Data protection and GDPR

The Data Protection Act 2018 and General Data Protection Regulation (GDPR) regulates the way we use your personal information. You provide this information when you use council services or come into contact with us. The Act provides a legal framework for the way we handle this data. This page explains the things we do to make sure we comply with the Act. These activities are overseen by our Data Protection Officer.

Policies and training

We have updated our data protection and cyber security eLearning to make sure our staff are trained in how to handle personal information. We have also updated all of our policies and procedures to make sure our staff have the right information. We will continue to review this material and update it as the regulator publishes new guidance and best practice information.

System review and security

We make sure the systems we use have sufficient controls and security in place to make sure that staff can be managed effectively and to protect against external threats. The Council employs an IT Security Manager to review and ensure IT security compliance and we work with the Data Protecton Officer to make sure that both existing systems and new systems have adequate protections and security, including firewalls, encryption and external audit, for example, certification and penetration testing.

Contracts and third parties

GDPR requires us to review our contractual terms to make sure that the other organisations and businesses we work with have the correct protections and clauses in place for using personal data. There are standard terms and conditions approved by our legal services team. Relationships with third parties have been reviewed and either updated contractual terms or information-sharing agreements have been put into place.

Dataset and risk management

We are required to risk assess all the different ways that the council collects, uses, stores, shares and destroys personal data. The council has completed a detailed assessment of its different systems, files and processes and has identified a programme of improvements and best practice to be shared throughout the organisation. The output of this is a register of Data Protection Impact Assessments and an Information Asset Register that helps to show the scale of the data used and its compliance with the GDPR.

Legal basis and legal standards

Buckinghamshire Council is a 'creature of statute' and as such the vast majority of what the council does is because there is a legal requirement to do it. The council has identified all the different legal reasons for the collection and use of data which have been captured within the Data Protection Impact Assessments of each dataset.